17 Percent of Android Apps Contain Major Connection Flaws

Below:

Next story in Tech and gadgets

Thousands of Android apps in the Google Play store are flawed in
ways that make supposedly secure connections vulnerable to
meddling from third parties, who could steal personal and
financial information.

A study of more than 13,000 popular free apps found that 17
percent of the apps had weak and insecure SSL/TLS connections —
something absolutely essential when sending sensitive
information, such as in a mobile banking app.

To test the concept, the German study team, comprised of six
researchers from Philipps University in Hamburg and Leibniz
University in Hannover, managed to obtain credit-card numbers and
account-login details in ways that it should not have been able
to, Kaspersky's
Threatpost security blog reported.

The team created a proof-of-concept app, dubbed MalloDroid,
that's meant to sniff out exploitable SSL bugs. It netted nearly
1,100 of them.

"We have successfully manipulated virus signatures downloaded via
the automatic update functionality of an anti-virus app ... It
was possible to remotely inject and execute code in an app
created by a vulnerable app-building framework."

"The findings of our investigation suggest several areas of
future work," the team, who will make MalloDroid available to
consumers, said. "There seems to be a need for more education and
simpler tools to enable easy and secure development of Android
apps."

In other words, the affected apps should not be trusted with
sensitive details such as credit-card numbers and login
credentials. Unfortunately, Threatpost did not name the affected
apps, and the academic paper that might list them is behind a
paywall.

A synopsis of the paper said only that the
apps had been installed by "between 39.5 [million] and 185
million users."

According to Threatpost, the researchers suggested that an
Android-specific implementation of the Electronic Frontier
Foundation's HTTPS Everywhere browser plug-in might
solve the problem.